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DETAILED ACTION 

1 . Applicant's arguments with respect to claim 1-39 have been considered but are 
moot in view of the new ground(s) of rejection. 

2. Claims 1-39 are presented for examination. 

Claim Rejections - 35 USC §103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1-4, 18-22, 36, and 39 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Shostack et al. (Shostack, Patent No.: US 6,298,445 Bl) in view of 
Fujimori (Patent No.: 6,681,212 B2). 

As per claims 1,18, and 36, Shostack teaches a method/system for detecting 
modifications to risk assessment scanning, comprising 

(a) initiating a risk assessment scan on a target from a remote source utilizing a 

network (Shostack Col. 3 lines 15-17; the remote source module initiating risk 
assessment on the remote (target) computer connected to the network); 

(c) receiving results of the risk assessment scan from the target utilizing the 
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network (Shostack Col. 6 lines 67-col. 7 lines 4 and col. 3 lines 30-32; receiving 
risk assessment scan result from target computer utilizing the network); and 
(d) notifying an administrator if any additional operations are carried out to improve a 
risk assessment in view of intrusion detection (Shostack Col. 6 lines 53-56; 
sending an alarm to the system administrator if risk assessment scan detects an 
intrusion is detection); 

Shostack does not teach an intermediate scan involves an intermediate device 
coupled between the target and remote source. 
However Fujimori discloses 
(b) detecting an intermediate device coupled between the target and the remote 
source (Fujimori Col. 2 lines 1-9; detecting an unauthorized node coupled 
between the authorized node and the monitor node). 



Therefore it would have been obvious to one having ordinary skill in the art at the 
time of the invention was made to employ the teachings of Fujimori within the system of 
Shostack because it would avoid an authorized access by notifying (instructing) the user 
to use the protected mode (Fig. 4B No. 47, and col. 1 lines 62-67). 

As per claim 2 and 19, Shostack and Fujimori teach all the subject matter as described 
above. In addition Fujimori teaches the method or a computer program product, wherein 
the intermediate device includes a router (Fujimori Col. 2 lines 1-9; detecting an 
unauthorized node (router) coupled between the authorized node and the monitor node). 
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As per claim 39 and 20, Shostack and Fujimori teach all the subject matter as described 
above. In addition Fujimori teaches the method or a computer program product, wherein 
the intermediate device includes a proxy server (Fujimori Col. 2 lines 1-9; detecting an 
unauthorized node (proxy server) coupled between the authorized node and the monitor 
node). The rational for combining are the same as claim 1 above. 

As per claim 3 and 21, Shostack and Fujimori teach all the subject matter as described 
above. In addition Fujimori teaches the method or a computer program product, wherein 
a plurality of procedures are utilized to determine whether the risk assessment scan 
involves the intermediate device (Fujimori Col. 2 lines 1-9; detecting an unauthorized 
node coupled between the authorized node and the monitor node). The rational for 
combining are the same as claim 1 above. 

As per claim 4 and 22, Shostack and Fujimori teach all the subject matter as described 
above. In addition Shostack teaches the method or a computer program product, 
wherein at least one of the procedures includes determining a port list associated 
with the risk assessment scan (Shostack Col. 7 lines 17-19). 

As per claim 8 and 26, Shostack and Fujimori teach all the subject matter as described 
above. In addition Fujimori teaches the method or a computer program product, 
wherein the communications include connection attempts between the remote 
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source and the target utilizing the network (Fujimori Col. 1 lines 36-40). The rational for 
combining are the same as claim 1 above. 

As per claim 13 and 31, Shostack and Fujimori teach all the subject matter as described 
above. In addition Fujimori teaches the method or a computer program product, wherein 
the at least one of the procedures further includes indicating that the risk assessment scan 
involves the intermediate device based on the analysis (Fujimori Col. 2 lines 1-9; 
detecting an unauthorized node coupled between the authorized node and the monitor 
node). The rational for combining are the same as claim 1 above. 

5. Claims 5-9, 23-27, and 37-38 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Shostack et al. (Shostack, Patent No.: US 6,298,445 Bl) in view of 
Fujimori (Patent No.: 6,681,212 B2) and Applicant Admitted Prior Art (AAPA). 

As per claim 37, and 38, Shostack teaches a method/computer program product for 
detecting modifications to risk assessment scanning caused by a proxy server, 
comprising: 

(a) initiating a risk assessment scan on a target from a remote source utilizing a 
network (Shostack Col. 3 lines 15-17; the remote source module initiating risk 
assessment on the remote (target) computer connected to the network); 

(d) receiving results of the risk assessment scan from the target utilizing the 

network (Shostack Col. 6 lines 67-col. 7 lines 4 and col. 3 lines 30-32; receiving 
risk assessment scan result from target computer utilizing the network); 
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(e) flagging the results of the risk assessment scan (Shostack Col. 6 lines 53-56; 
sending an alarm flag if risk assessment scan detects an intrusion is detection); 
and 

(f) notifying an administrator if the results of the risk assessment scan is 
flagged (Shostack Col. 6 lines 53-56; sending an alarm to the system 
administrator). 

Shostack does not explicitly teach: 

(b) executing a plurality of procedures to determine whether the risk 
assessment scan involves a proxy server coupled between the target and the 
remote source; 



However Fujimori discloses 

executing a plurality of procedures to determine whether the risk assessment scan 
involves a proxy server coupled between the target and the remote source 
(Fujimori Col. 2 lines 1-9; detecting an unauthorized node coupled between the 
authorized node and the monitor node); 

Therefore it would have been obvious to one having ordinary skill in the art at the 
time of the invention was made to employ the teachings of Fujimori within the system of 
Shostack because it would avoid an authorized access by notifying (instructing) the user 
to use the protected mode (Fig. 4B No. 47, and col. 1 lines 62-67). 



Application/Control Number: 09/895,498 Page 7 

Art Unit: 2136 

Shostack and Fujimori do not explicitly teach an ip_ttl flag, a tcp_win flag, a via 
tag, and a host header value. 

However AAPA discloses ip_ttl flag, and tcp_win flag as a well known (AAPA 
page 6 par. 4-page 10 par. 2). 

Therefore it would have been obvious to one having ordinary skill in the art at the 
time of the invention was made to employ the teachings of AAPA within the combination 
system of Shostack and Fujimori because it would allow to determine unauthorized 
(intermediate) device by comparing the values of the flags. Data is sent to different nodes 
and tag values are compared. If the tag values are different identify the new node. 

As per claim 5 and 23, Shostack, Fujimori, and AAPA teach all the subject matter as 
described above. In addition AAPA teaches the method/computer program product, 
wherein the at least one of the procedures further includes ip__ttl flag, and tcp_win flag as 
a well known (AAPA page 6 par. 4-page 10 par. 2). The rational for combining are the 
same as claim 37 above. 

As per claim 6 and 24, Shostack, Fujimori, and AAPA teach all the subject matter as 
described above. In addition AAPA teaches the method or a computer program product, 
wherein the flag includes an ip-ttl flag as a well known (AAPA page 6 par. 4-page 10 par. 
2). The rational for combining are the same as claim 37 above. 

As per claim 7 and 25, Shostack, Fujimori, and AAPA teach all the subject matter as 
described above. In addition AAPA teaches the method or a computer program product. 
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wherein the flag includes a tcp-win flag as a well known (AAPA page 6 par. 4-page 10 
par. 2). The rational for combining are the same as claim 37 above. 

As per claim 9 and 27, Shostack, Fujimori, and AAPA teach all the subject matter as 
described above. In addition AAPA teaches the method or a computer program product, 
wherein the at least one of the procedures further includes indicating that the risk 
assessment scan involves the intermediate device, if the value of the flag is different for 
the communication attempts using the at least two ports on the port list (AAPA page 6 
par. 4-page 10 par. 2; ip-ttl flag as a well known ). The rational for combining are the 
same as claim 37 above. 

6. Claims 10-14, and 28-32 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Shostack et al. (Shostack, Patent No.: US 6,298,445 Bl) in view of 
Fujimori (Patent No.: 6,681,212 B2), and Mizrachi et al. (Mizrachi, Pub. No.: US 
2003/0033486 Al). 

As per claim 10 and 28, Shostack and Fujimori teach all the subject matter as described 
above. 

Shostack and Fujimori do not explicitly teach transmitting request and cached 
version of the content to the target. 

However Mizrachi discloses the method or a computer program product, wherein 
at least one of the procedures includes transmitting a first request for content to the target 
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utilizing the network, and transmitting a second request for a cached version of the 
content to the target utilizing the network (Mizrachi Page 3 par. 0029). 

Therefore it would have been obvious to one having ordinary skill in the art at the 
time of the invention was made to employ the teachings Mizrachi within the combination 
system of Shostack and Fujimori because the cache server would store cached content 
and identify the next user's access request from the cached content stored in the cache 
content server by comparing the newly access request and previously stored cached 
content and allow fast access if the newly access request is previously stored in the cache 
content server. It would be obvious to one skilled in the art to modify the teachings of 
Mizrachi and detect the new node by comparing cached content when cached content is 
different from target node. 

As per claim 1 1 and 29, Shostack, Fujimori and Mizrachi teach all the subject matter as 
described above. In addition Mizrachi teaches the method or a computer program 
product, wherein the cached content is requested from the target utilizing a via tag 
(Mizrachi Page 1 par. 0033; TCP/IP Via tags is a well known TCP/IP tool for obtaining 
cached content utilizing the Internet). The rational for combining are the same as claim 
10 above. 

As per claim 12 and 30, Shostack, Fujimori and Mizrachi teach all the subject matter as 
described above. In addition Mizrachi teaches the method or a computer program 
product, wherein the at least one of the procedures further includes analyzing responses 
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to the first and second requests (Mizrachi Page 3 par. 0029; analyzing access request and 
cached content). The rational for combining are the same as claim 10 above. 

As per claim 14 and 32, Shostack, Fujimori and Mizrachi teach all the subject matter as 
described above. In addition, the method or a computer program product, wherein the at 
least one of the procedures further includes indicating that the risk assessment scan 
involves the intermediate device if the responses to the requests are different (Mizrachi 
Page 3 par. 0029, and Fujimori Col. 2 lines 1-9). The rational for combining are the same 
as claim 10 above. 

Claims 15-17 and 33-35 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack et al. (Shostack, Patent No.: US 6,298,445 Bl) in view of Fujimori (Patent No.: 
6,681,212 B2), and in further view of Hopmann et al. (Hopmann, Patent No.: US 
6,578,069 Bl). 

As per claim 15 and 33, Shostack and Fujimori teach all the subject matter as described 
above. 

Shostack and Fujimori so not explicitly teach request without specifying a host 
header value. 

However Hopmann discloses the method/computer program product, wherein at 
least one of the procedures includes transmitting a request without specifying a host 
header value (Hopmann Col. 16 lines 6-11). 

Therefore it would have been obvious to one having ordinary skill in the art at the 
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time of the invention was made to employ the teachings Hopmann within the 
combination system of Shostack and Fujimori because it would create reconnection to the 
client. 

As per claim 16 and 34, Shostack, Fujimori and Mizrachi teach all the subject matter as 
described above. In addition Hopmann teaches the method or a computer program 
product, wherein the at least one of the procedures further includes identifying an error 
message in response to the request (Hopmann Col 16 lines 6-11). 

As per claim 17 and 35, Shostack, Fujimori and Mizrachi teach all the subject matter as 
described above. In addition Hopmann teaches the method or a computer program 
product, wherein the at least one of the procedures includes indicating that the risk 
assessment scan involves the intermediate device, (Hopmann Col. 16 lines 6-1 1). 



7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Eleni A Shiferaw whose telephone number is 571-272- 
3867. The examiner can normally be reached on Mon-Fri 8:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R Sheikh can be reached on 571-272-3795, The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 



Eleni Shiferaw 
Art Unit 2136 
January 14, 2005 




